Essential guidance: Ten ways for agents to prepare for new data protection rules

Estate and letting agents in the UK are six months away from the introduction of the EU-wide General Data Protection Regulation (GDPR).

These will require all businesses that handle personal data to implement a far more rigorous protection regime than we have seen previously.

Is the industry ready? Anecdotally and through my discussions with colleagues, partners and customers, I’d say most are certainly keeping up with the curve. In some areas I think agents are ahead of it.

However, the all-encompassing nature of the legislation carries inherent risk, whether you’re an online operator and not sure whether you’re a data controller or data processor; a nationwide chain with a specialist data officer struggling to standardise the organisation’s many tentacles; a high street independent with one or perhaps a few branches; or a small family-owned lettings business.

With this mix in mind, here are my top ten tips on how agents of all specialisms and sizes should be thinking about GDPR with six months to go:

  1. Get the basics right

Your agency’s basic digital system must be secure. If this isn’t in place, none of your more high-tech preparation is worthwhile. Whether a device (for example a personal computer or mobile phone) is connected to an intranet, the internet or nothing at all, it must be password protected.

Likewise, each branch’s internet connection and servers must be secure, so check what your service provider has in place.

Free wifi for visitors to your branch absolutely must be via a separate network, not the one your staff use.

  1. Share the burden with the cloud

The physical security of data in a data centre is always going to be stronger than anything an individual agent could achieve with a local network.

Off-premises, cloud-based solutions put agents in a better place in terms of GDPR because much of the burden is shared with or passed to the provider.

It’s time for agents to think about moving anything installed locally to a private cloud service.

  1. Build GDPR into every process

Data protection needs to be in the default design of all agency processes.

If you scan a hard copy with details of a let, where does the hard copy go next?

Where is the new PDF saved? Is it hosted online?

All of this is need-to-know information.

Likewise, websites with contact forms now require far greater security. If a potential customer simply sends in their name and email address, this process needs to adequately protect their details.

  1. Bring your suppliers in line

Most agents regularly share customer data with trusted suppliers such as lawyers or property maintenance companies.

Under GDPR, the interfaces and connections to your suppliers should be firewall and password protected.

In addition, ask your suppliers about their own data security to make sure it’s as strong as you would like. You also need to know that services you might use such as Google Drive and MailChimp are secure.

  1. Get explicit permission from customers at every stage

Under GDPR, personal privacy is the default.

Agents need explicit permission from a customer for everything their data is used for and every point of contact.

For example, a customer who has agreed to hear from you in the form of a brochure has not consented to be contacted about their home insurance. This could drastically impact the ways we currently market and cross-sell products. Customers and potential customers need to opt-in at every stage.

  1. Remove personal identifiers

Data that can identify your customers needs to be pseudonymised.

Datasets must be connected with, for example, a reference number rather than personal identifiers. In practical terms, this means that the details of a let (e.g. how much money a customer owes) must be identifiable only via a unique number rather than the customer’s name.

  1. Plan for a breach

Any processor of personal data that suffers a breach needs to be able to inform both the data controller and the customers affected within 72 hours.

Put in place a protocol for doing so, whilst ensuring that you closely monitor your systems, firewalls, spam filters and connections.

  1. Get ready to press delete

Data is valuable and in recent years we’ve been focused on how to collect and make use of it.

Now we need a procedure for getting rid of every trace. Customers have the right to ask an agent to delete all information you hold on them – to ‘forget’ them.

It’s your responsibility to make sure that this is completed by your agency and all partners and suppliers, including cloud hosts who may have multiple copies. The more unified and automated this process can be, the better.

  1. Use software to share

Individual customers can also request that you transfer their data to a different supplier, even if this is a rival business.

Their data needs to be stored in a way that allows you to easily provide a copy of any information you hold on that customer. This is markedly easier for agents who have or buy-in an industry-grade software platform.

  1. Don’t overlook physical security

There’s a tendency to think GDPR is all about intangible data sets tucked away on servers or floating in the cloud. It’s imperative that basic lock-and-key security doesn’t get left behind.

Make sure that all branches and offices are secure, and that physical copies of any personal data are kept in locked cabinets. A Filofax or USB stick of phone numbers are just as vulnerable as an online database. If you’re leaving lists of customers out on desks overnight, you’re not ready for GDPR.


If the rigours of GDPR ever feel prohibitive, I try to view them through the lens of their value to me as an individual rather than as an agent.

It helps to understand that GDPR protects us, our colleagues and our customers, even as they require changes to how our businesses must handle data.

Fundamentally, preparing for GDPR is about being diligent and thorough. If agents are fully compliant with existing legislation, then you are already part of the way there. But under the new rules, in addition to auditing your own processes and security, achieving customer opt-in at every stage and understanding the ways that suppliers and partners work will be key.

Vik Tara is the CTO of Technology Blueprint Ltd (TBL), a proptech consultancy

Reapit EOS

Email the story to a friend

More top news stories


  1. RichardHill61

    Uber recently “lost” the personal information of 10million clients!

    I’d say the latest regulation is more unnecessary legislation and cost to the industry.

    Which master criminal will be hacking their local independent estate agents?


    1. marlington52

      As a small agent we have had at least one phishing attempt a month usually from Rightmove and Zoopla inquiries.   They email links which claim to have details on the applicants search but is a link to a malicious site.

      I assume as they are looking for targets for fraud like this

      Or just personal info on Tenants and Landlords to use for credit applications.

  2. PatrickS53

    This is a great article, and a great step by step guide for all companies to use. I hope you don’t mind if i reference this on a blog in the near future.

    In response to Richard, I don’t think that this is unnecessary regulation, i think it actually just puts more pressure on the likes of Uber as you mention to tow the line when it comes to data security, the proposed % of revenue fine is aimed at the major corporations as a deterrent. Being data security conscious for me is about business sense rather than a reaction to legislation, the reputational damage alone makes being prudent and proper with the data you hold worthwhile.

    I must say i do have a bias with our company being a data destruction and confidential waste disposal company though. If you want to know about us check out our site

  3. Surveyor



    As we are legally bound to keep information in case of a claim for at least 6 years, 12 in theory for Tort cases, then how does that square with the requirement to ‘forget’ a customer?  It’s not possible to be compliant with the law and regulatory requirements it seems.

    Any more illumined colleagues have an answer to this, please share.




You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.